Code review fixes, Docker, and deployment config

- Fix tsconfig: switch to ESNext/Bundler module resolution (tsx compatible)
- Sanitize file extensions against path traversal (^.[a-zA-Z0-9]+$ only)
- Sanitize Content-Disposition filename to prevent header injection
- Extract tokenCookieOptions helper to eliminate duplication across auth handlers
- Remove unused baseUrl param from fileListPage
- Add Dockerfile (multi-stage build with alpine + native tools for bcrypt)
- Add docker-compose.yml with named volume for data persistence
- Add .env.example with all environment variables documented

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/routes/api/v1/auth.ts

@@ -4,7 +4,7 @@ import type { Config } from '../../../config.ts';
 import type { Logger } from '../../../middleware/logging.ts';
 import { getUserByUsername } from '../../../db/users.ts';
 import { verifyPassword } from '../../../services/auth.ts';
-import { requireAuth } from '../../../middleware/auth.ts';
+import { requireAuth, tokenCookieOptions } from '../../../middleware/auth.ts';
 
 interface Deps {
   db: Database.Database;
@@ -40,14 +40,7 @@ export const authApiRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, { d
     await logger.authSuccess({ ip, userAgent, username });
 
     const token = app.jwt.sign({ sub: user.id, username: user.username }, { expiresIn: config.jwtExpiry });
-    reply
-      .setCookie('token', token, {
-        httpOnly: true,
-        sameSite: 'strict',
-        secure: config.cookieSecure,
-        path: '/',
-      })
-      .send({ ok: true });
+    reply.setCookie('token', token, tokenCookieOptions(config.cookieSecure)).send({ ok: true });
   });
 
   app.post('/logout', { preHandler: requireAuth }, async (_request, reply) => {